Last month I described the ability to track users sessions with browser data. A recent posting on IT Law in Ireland highlighted a series of blog posts elsewhere that give further insight into what is possible.

Well, I just got round to reading them properly. The posts on Freedom to Tinker by David Robinson and Harlan Yu are:

• Identifying John Doe: It might be easier than you think
• What Third Parties Know About John Doe
• The Traceability of an Anonymous Online Comment

The conclusion? It is possible to trace and identify individuals easier than you may think. We are dropping evidence like dead skin cells as we traverse the internet. Fact or fiction? Well the US Defense Advanced Research Projects Agency (DARPA) are taking it seriously with a recent call for research into cyber genetics, cyber anthropology and cyber physiology in its Cyber Genome Program. DARPA hopes to develop advanced methods to fingerprint or identify the origins of a cyber attacks by examining digital artifacts, and presumably other criminal activities utilising computer technology.

Getting a bit more down to earth, web site owners need to consider what information is being gathered and why, ensure this is legal, check that consent is implied or has been explicitly given for the purposes and what monitoring and analysis is performed on the data. It could be easy for system developers to carried away with tracking and tagging. Contracts with third parties should state clearly what the expectations are about the security and privacy of information, to protect web site users (employees, customers, clients, citizens) and the business.

Today I thought I'd share some of my favourite blog posts about building software securely by implementing web application security programmes.

The excellent blog posts about building a software security assurance programme are:

• Rafal Los on Enterprise Web Application Security and Building a Web Application Security Program Without a Budget
• Justin Clarke on The Fallacy of Secure Software
• Adrian Lane on Agile Development and Security

Can you recommend any others?

As a reminder, the main software security maturity models and process models are:

• Building Security In Maturity Model (BSIMM)
• Microsoft Security Development Lifecycle (SDL)
• National Institute of Standards and Technology (NIST) SP 800-64 Rev2 Security Considerations in the Information System Development Life Cycle
• Software Assurance Maturity Model (SAMM)

Last week Microsoft also released a short document describing how to implement a simplified version of their SDL.

Which should you choose? It's what works in your own organisation that matters. Ask your software suppliers (e.g. web developers) what they use before you buy.

On Thursday the UK Government's Central Office of Information (COI) is hosting an event about auditing government websites aimed at government agencies (EAs) and non-departmental public bodies (NDPBs) that have a deadline looming in April 2010.

Web site quality and value concerns were raised in a National Audit Office report on Government on the Internet: Progress in Delivering Information and Services Online in published in July 2007 and recommendation made in the Public Accounts Committee (PAC) Sixteenth Report. Along with their other web standards and guidelines, the COI has issued standards relating to costs, usage and quality. Version 1.1 of TG126, November 2009, on measuring website quality describes three requirements for measuring and auditing website usage:

The benefits of web site auditing were described last year by Adam Bailin on the Digigov blog.

It is very encouraging that the COI are developing standards to improve quality and value. Apart from usage measurement and audit, the quality requirements cover the topics of domain names, usability, accessibility, archival, browser testing, web site map, cost monitoring and web site closure (disposal).

But there are some areas that are not represented in these standards. A glance at something like ISO 9126 indicates other important software quality. A starting point would be to monitor some privacy and security metrics.

And of course, I'd like to see some government requiring some standards for security, which unlike privacy, has a much less firm legal guidance and regulation (for privacy these are the Data Protection Act 1998 and the Information Commissioner's Office). The most well-developed standard for web site security verification is the Application Security Verification Standard (ASVS) from the Open Web Application Security Project. It's free to download and use, and perhaps this can be incorporated or referenced by future government standards and other software security assurance programmes.

Sometimes finding all the web applications in an organisation can be the difficult part in trying to assess what risks exist.

Transport for London don't just have web sites and, I suspect, an intranet. They have been gradually moving from whiteboards for live underground travel news at tube stations:

And now have electronic versions:

I don't know what technology is being used here, but other information boards have been seen to display web browser error messages leaking network information:

But, what about elsewhere? I saw this on the live electronic advertisement boards at Bond Street station this weekend:

Sorry it's a bit blurred, but I was going up the escalator at the time. Several, but not all the displays had their system names shown rather than an advertisement. It certainly looks like an IP address, but is there a web application inside? I've previously highlighted other information systems and displays that seem to be IP-enabled.

An investigation of your network, examining what is listening on which ports, and correlating this with the actual network traffic, might reveal more web applications than you thought.

This week, the first Irish Application Security conference is being held at Trinity College, Dublin. OWASP Ireland AppSec 2009 Conference is a full-day event with two conference tracks and optional training courses on the previous day.

I am sorry not to be attending, but did at least hear Dinis Cruz's updated presentation about OunceOpen (O2), an open platform for automating application security knowledge and workflows, at the OWASP London chapter meeting last week.

This has developed considerably since I last heard Dinis speak at AppSec EU09 in May and the vision is starting to shine through. Dinis' presentation is now on the OWASP London chapter page, but I'd recommend downloading and trying the various modules from the project website and joining the mailing list. Also at last week's meeting, Dave Marsh gave a comprehensive presentation on using tokenisation surrogates to protect sensitive data. I was surprised this approach could potentially reduce the PCS DSS scope so much, with even payment card entry forms on web pages being out-of-scope. I'll need to read the justification for that.

Apart from Dublin this week, the next big application security conferences are OWASP AppSec Germany 2009 in Nuremberg, Germany on 12-13 October 2009 and OWASP AppSec 2009 in Washington, United States on 10-13 November 2009.

Bruce Schneier's blog posting this week about Security vs. Usability highlighted an essay by Prof Don Norman (of the Nielsen Norman Group) concerning When Security Gets in the Way.

It struck a chord with me since I had just been reading an article on Econsultancy.com speculating that customer's problems with 3D Secure had led to Google Checkout Dropping Payment by Maestro. You might know 3D Secure better by the scheme-specific names Verified by Visa and MasterCard SecureCode. The implementation of these schemes by banks and e-commerce merchants has been a terrible mishmash of in-line frames, pop-up windows, unbranded pages, redirects and mandatory JavaScript. Most instances have terrible usability, many raise users' security concerns and some applied the password setup and change mechanisms poorly. The article suggests merchants have found 3D Secure decreases the conversion rate. How were usability and privacy concerns addressed during each system's design? After all, the users are the banks' customers, and the credit card companies' customers and the e-tailers' customers.

Prof Norman finishes with:

Perfect.

Last night, I spoke at OWASP Ireland's meeting in Dublin about the previously discussed Software (Security) Assurance Maturity Model (SAMM).

My presentation defined what software assurance, and in particular software security assurance, are, and why they are needed for complex software quality aspects. I also discussed what a maturity model is and how SAMM fits in with other business, project management, IT and software development maturity models. Moving onto SAMM, we reviewed the structure and how it may be used in software development teams and businesses to measure the current capability, act as a benchmark and help in building out a software security assurance programme.

There's been some discussion about applying SAMM on the SAMM mailing list, but it was good to chat with other people about their experiences and ideas to help organisations build better (more secure) software. The evening continued with an interesting talk on Niall Jordan on "Evading SQL Injection Detection Through Encoding", and then off to the nearest (almost adjacent) pub for further lively discussion and debate.

Oh, and a reminder... the Ireland chapter have organised OWASP Ireland AppSec 2009 Conference on 10 September 2009. With two tracks of application security related presentations from excellent speakers, I think it's going to be well worth attending.

It can be hard to justify business spending when web sites are often viewed as low-value assets. The fact that so much Internet content and services are free, and you can buy a web site for less than the cost of a colour TV licence in the UK reinforces this idea in many small and medium enterprises (SMEs).

Much of my work is related to dealing with security incidents, such as web sites which have been hacked, or where an organisation is having security requirements imposed by their own customers and clients. Often these activities are undertaken late in the project and are therefore less effective, and more costly, than they might need to be.

I adhere to the principle "prevention is better than cure", and encourage the early consideration of security and privacy matters—just like any other business process requirement. It was encouraging to read the useful guidance and pointers on Business Cases For Software Security Initiatives but for many organisations, the issues are too complex and they don't have any supporting data. For those I recommend, as a starting point, concentrating on four types of issue:

1. mandatory compliance issues (e.g. legislative and contractual)
2. problems which can assist theft or fraud
3. security events which would be severely disruptive and possibly put the organisation out of business
4. issues for customer trust and ongoing reputation

It's always organisation specific though. As organisations mature, they can be encouraged to look at wider security issues—but, let's get the basics right first.

The next Open Web Application Security Project (OWASP) London meeting is this week.

The OWASP local chapter meeting in London is on Thursday 12 March 2009. Everyone is welcome, but you need to register (free) first.

After an introduction from the new chapter leader Justin Clarke, there will be talks on advanced SQL Injection techniques and the Software Assurance Maturity Model (SAMM), including perhaps discussion of the recently launched Building Security In Maturity Model (BSIMM). I will also be speaking briefly about the OWASP Global Industry Committee.

See you there.

Update 11th March 2009: The tutorials and conference programme have been released for the biggest European application security event of the year OWASP AppSec Europe 2009 in May. The Keynote speakers are Ross Anderson, Professor in Security Engineering, University of Cambridge and Bruce Schneier, Chief Security Technology Officer, BT.

The next Open Web Application Security Project (OWASP) Application Security (AppSec) European Conference is in Kraków, Poland from 11-14 May 2009.

The OWASP AppSec Europe 2009 will include two days of training and a two-day conference with a pair of tracks. Whilst this is a reminder for web application managers, architects, designers, developers, testers and auditors to keep the date free, the calls for presentations, trainers and refereed research papers are currently open:

• Call for presentations, deadline 1 February 2009
• Call for training providers, deadline 1 February 2009
• Call for refereed research papers, deadline 2 March 2009

So if you are working in web application security, please consider participating.

The next OWASP local chapter meeting in London is on Thursday 12 March 2009 at which I hope to be speaking about the OWASP Global Industry Committee. Everyone is welcome, but you need to register (free) first.

Update 19th May 2009: See also What's the Scope for Accessibility Testing? and Can An Accessible Web Application Be Secure? concerning my own presentation at OWASP AppSec EU09.